March 30, 2017

Toby Gouker • Vice President of Strategy

Best Practices of the Nation’s Top Systems 

First Cyber Health Solutions was fortunate to have the opportunity to learn recently what some of the nation’s leading healthcare systems are focused on in order to reduce their organization’s risk of incurring a security breach. We all know how daunting the task is of protecting our organization’s infrastructure from attack. It can be so overwhelming and complex that you don’t even know where to start. Why not follow the lead of some of our nation’s leading providers and focus first on the four areas listed below.

  1. Old software vulnerabilities:

    Just as with the attacks on other industries, attacks on healthcare systems are still primarily coming in through the tried and true techniques that malicious actors have used for many, many years. It is cost effective for the bad actors to stick with what works, until it stops working. While most healthcare facilities practice good hygiene to combat biological viruses, few practice good hygiene when it comes to computer viruses.  Major healthcare systems have now begun to recognize the major vector for computer virus infection: poor software updating practices. With up to a 1,000 different applications running in a major healthcare system, the current focus is on identifying applications that have not been updated and making the proper patches. Once a system has been patched to eliminate vulnerabilities, CISOs are having automatic patch management software installed so that new holes are not opened up in the application layer of their networks.Even if you only have 100 applications running and not 1,000, it only takes one application with a vulnerability to allow malicious activity into your system where is can proliferate, establishing command and control, internal storage capability to collect a copy of your valuable data, and exfiltration techniques to run off with your crown jewels.

  2. Endpoint security:

    One of the major challenges that healthcare IT systems face relative to IT systems in other industries is the degree to which their systems are open to the public, and open to the constant addition of new computer-enabled devices. Endpoint device management has risen to become a major initiative in healthcare facilities of all sizes. The installation of anti-virus software has been judged as “necessary, but insufficient” to protect endpoints that are interacting with the world-wide-web. It is too easy for a bad actor to slightly alter the signature of their virus attack and evade anti-virus programs. Healthcare systems are now turning to detection forensics and response techniques.Since detection forensics typically relies on some form of anomaly detection, it is important for a healthcare facility to first determine what is “normal” for their IT system’s operation. The top systems in the nation have already created a baseline of activity that they deem as normal information flow within their networks. With a baseline established, efforts have now turned to anomalous event logging for follow-up forensic investigations.

  3. Vendor and other trusted system vulnerabilities:

    One of the more infamous breaches in recent history, the breach of Target, was initiated through a trusted intranet connection from their HVAC vendor. One of the more recent breaches in a healthcare system was initiated through the cafeteria system’s operations. To provide access to information for doctors, nurses and other healthcare providers, healthcare systems have evolved to a collection of trusted networked systems, trust being the operative word to increase the speed of information flow. The trust in the network means that there are no guards between the borders from one system to the next to slow down the flow of information, and no need to stop and re-authenticate your identity as you ask for more information.Healthcare systems have recognized that this responsiveness to information flow has also exposed systems to significantly increased risks. Should a bad actor breach a system at any entry point, they can them move freely throughout the system to “smash and grab” information as they see fit. In response to this increased risk, healthcare facilities are developing segmented networks, and even micro-segmentation techniques as a layer of protection around their most critical information. Segmentation sets up artificial “border crossings” within a network that can be used to tailor authentication and identification requirements for access to particular information. Segmentation is an important feature in large healthcare systems when it comes to mitigating damage from a potential ransomware attack. When access to critical information is more tightly controlled, there is less of a chance that malware can travel throughout the system, encrypting data.

  4. Staff cybersecurity awareness:

    The behavior of a computer virus in an organization is much like the behavior of a biological virus in a population. It spreads on contact from one person to another. Healthcare personnel have been identified as the single largest source of malware introduction into an organization.  So just like proper hand washing hygiene is important to control the vector of a biological virus in an organization, proper cyber-hygiene is important to control the spread of computer viruses and other malware. Large healthcare facilities are undertaking major efforts in cybersecurity awareness just as they successfully undertook major efforts on hand washing efforts to mitigate HAIs.Once per year training on cybersecurity is no longer enough. Smaller monthly training initiatives are being implemented by the top healthcare systems. This monthly training is accompanied by “inoculation tests” otherwise known as phishing tests to see if cybersecurity awareness training is effective. Remediation activities are then implemented depending on the outcome of the phishing tests.